Purpose

The policy provides guidance on how Impact Africa Consulting Limited will handle the data it collects. It helps IACL with the data protection law, protect the rights of the data subjects and protects IACL from risks related to breaches of data protection. (Hereinafter referred to as “the IACL”).

Scope

This policy covers data collected, received and stored on the IACL owned physical and electronic databases and resource centre.

The policy applies to:

1. Employees of IACL and all IACL associated parties such as implementing partners, vendors, contractors and any other third party who handle and use IACL information (where IACL is the ‘Controller’ for the personal data being processed, be it in manual and automated forms or if others hold it on their systems for IACL
2. All personal data processing IACL carries out for others (where IACL is the

‘Processor’ for the personal data being processed) and,

1. All formats, g., printed and digital information, text and images, documents and records, data and audio recordings.

Definitions

 Consent means any freely given, unambiguous and informed indication by a statement or by a clear positive action, signifies an agreement by the user to the processing of his/her personal data.

Data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller

Data processing means converting of data into information. This includes collecting, recording, rationalizing, storage, alteration, retrieval, use, transmission, dissemination, erasure or destruction of data.

Data subject means an identified or identifiable natural person who is the subject of personal data.

Personal data means any information relating to an identified or identifiable natural person

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed

Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses sex, or the sexual orientation of the data subject.

Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as (a) collection, recording, organisation, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.

Third party means any natural or legal person other than the user. Examples of third parties are national governments, international governmental or non-governmental organizations, private sector entities or individuals.

Policy Guidelines

IACL shall in dealing with personal information and data ensure that the information/ data is processed

1. without infringing the privacy rights of the data subject;
2. in a lawful manner; and
3. in a reasonable manner

The collection, use, storage and transfer of personal data will only be done in a manner guided by the fundamental principles of IACL

This policy will guide the IACL ICT Acceptable Use Policy, the Record Retention and Destruction Policy and the Accountability Framework.

2.     Accuracy

1. IACL shall store personal data/information as accurately as possible and update and systematically review it to ensure it fulfills the purpose(s) for which it is
2. The data subject may request the correction of personal data that is inaccurate, incomplete, unnecessary or
3. When personal data is corrected, IACL will notify, as soon as is reasonably practicable, all third parties to whom the relevant personal data was transferred and to the data subject.

3.     Lawful and fair processing

1. Data processing shall be carried out in a lawful and fair manner for specified and legitimate purposes without prejudicing the fundamental rights and freedoms of data

1. The processing shall only be justified based on one (or more) of the legal basis including:
   1. data subject giving his or her consent
   2. the processing is necessary for the performance of a contract with the data subject

• to meet legal compliance obligations

1. to protect the data subject’s vital interests or any other person who may be indirectly affected
2. public interest
3. to pursue IACL’s legitimate interests which are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects

4.     Further processing

1. Further processing for research purposes shall be compliant with the conditions outlined in order to be compatible with the purposes for which the data is
2. Personal data which is processed for research purposes may be exempt from provisions of this policy if the results of the research and statistical data is not made available in a form which identifies the data
3. Further processing of data shall comply with the data protection principles set out in this policy, in particular in ensuring the security and confidentiality of sensitive personal

5.  Confidentiality

1. The confidentiality of personal data must be always respected by IACL when processing data with access to the same limited on a need-to-know
2. The IACL shall maintain the confidentiality of the personal data throughout and even after the user is no longer of concern to
3. The data controller may specify other categories of personal data that will require additional safeguards and restrictions and may be classified as sensitive personal
4. In the processing of sensitive personal data the data controller will specify further grounds on which these categories will be processed with consideration of:
   1. the increased risk of significant harm that may be caused to the data subject by processing this category of personal
   2. the degree of confidentiality attached to the category of personal

• the level of protection afforded by provisions applicable to personal data.

1. The data controller shall process personal data of children in a manner that protects their rights and best
2. The data controller will incorporate a process of obtaining parental consent and age verification in order to process personal data of

6.     Security

1. IACL will ensure and implement a high level of data security that is appropriate to the risks presented by the nature and processing of personal data taking into account the level of technology available and existing security conditions as well as the costs of implementing additional security
2. In order to ensure and respect confidentiality, personal data will be filed and stored in a way that is accessible only to authorized staff and transferred only through the use of protected means of communication.
3. In order to ensure the confidentiality of the personal data, IACL shall take appropriate technical and organizational data security
4. The nature of risks will include but not be limited to risk of accidental or unlawful/illegitimate destruction, loss, alteration, unauthorized disclosure of, or access to, personal
5. Access to personal data/content/knowledge shall be restricted to authorized personnel using it in the performance of their duties at IACL and as determined by appropriate authorization of both the staff or volunteers’ supervisor and data
6. Personal data/content/knowledge may not be used by any employee or staff for purposes other than the business of
7. Staff and volunteers allowed access of personal data/content/knowledge of the IACL shall sign a non- disclosure agreement banning them from using the content for business other than the IACL’s core
8. Private email accounts shall not be used to transfer Personal
9. Information technology will be used to process, communicate and store IACL data and information which will be classified as Confidential Information (CI).
10. Data security measures will be routinely reviewed and upgraded as deemed appropriate to ensure the level of protection is commensurate to the degree of sensitivity applied to personal data and considering the possible development of new technology in enhancing data

7.   Accountability

1. IACL will be responsible for compliance and will be required to demonstrate that appropriate measures have been employed within the organization to comply with the data protection guidelines.
2. IACL will implement data protection training programs for all
3. IACL will bear the burden of proof to establish the data subjects’ consent of the

processing of their personal data for a specific purpose.

1. IACL will ensure that it is as easy to withdraw as it is to give

8.     Rights of data subjects

A data subject has a right to:

1. be informed of the use to which their personal data is to be
2. withdraw consent at any
3. access their personal data in custody of data controller or data
4. object to the processing of all or part of their personal

1. correction of false, inaccurate or misleading
2. deletion of false or misleading data about
3. request for erasure of their personal data where it irrelevant, excessive or was obtained unlawfully.

9.     Data collection

When collecting personal data from the user, IACL shall inform the user of the following in writing/orally and in a manner and language that is understandable to the user:

1. The specific purpose(s) for which the personal data or categories of personal data will be processed.
2. Whether such data will be transferred to third parties and the specific third parties.
3. The data subject’s right to request access to their personal data, or

correction or deletion of it.

1. How to lodge a complaint with the data
2. The mandate and contact details of the data

Where data is not collected directly from the data subject either orally or in writing, other means will be considered as far as is practicable such as radio communication, posters and flyers in an accessible location, online postings and any other appropriate method of transmission.

10.   Data Protection Impact Assessments

Where a type of processing in particular using new technology, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

A single assessment may address a set of similar processing operations that present similar high risks.

A data protection impact assessment shall in particular be required in the case of:

1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
2. a systematic monitoring of a publicly accessible area on a large

The assessment shall contain at least:

1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by thecontroller;
2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
3. an assessment of the risks to the rights and freedoms of data subjects; and
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Policy taking into account the rights and legitimate interests of data subjects and other persons

11.   Data retention and disposal

1. Data will not be kept in a form that allows data subjects to be identified for longer than needed for the legitimate IACL’s purposes or other purposes for which the IACL collected it.
2. The purposes of data retention shall include satisfying any legal, contractual, accounting or reporting
3. Personal data may be retained for a longer period in the event of a complaint there is reasonable belief that there is a prospect of litigation in respect to the IACL’s relationship with the data
4. IACL shall take all reasonable steps to destroy or erase from its systems all personal data that are no longer required in accordance with the IACL’s Record Retention and Destruction Policy.

12.   Transfer of personal data to third parties

1. IACL may transfer personal data to third parties with the data
2. IACL may only transfer personal data/content/knowledge to third parties on condition that the third party affords a level of data protection the same or comparable to this Policy.
3. In order to mitigate risks associated with transfer of data to third parties, the IACL will only transfer data to a third party if:
4. The data is stripped off personal and identifiable information;
5. The transfer is based on one or more legitimate basis including:
   1. explicit consent by the data subject;
   2. compliance with national or international law; or

• in exercise, establishment and defense of any contractual or legal obligations;

1. The personal data to be transferred is adequate, relevant, necessary and not excessive in relation to the purpose(s) for which it is being transferred;
2. The data subject has been informed either at the time of the collection or subsequently, about the potential transfer of his/her personal data;
3. The third party has in the past respected the confidentiality of personal data transferred to them by the IACL; and

• The third party maintains a high level of data security that protect personal data against the risk of accidental or unlawful/illegitimate destruction, loss, alteration unauthorized disclosure of, or access to

IACL will also ensure that transferring personal data does not negatively impact:

1. The safety and security of the IACL staff and
2. The effective functioning of an operation or compromise in the IACL’s mission, vision or fundamental principles, for example due to the loss of trust and confidence between the IACL and persons of concern.

The processing of sensitive personal data out of Kenya shall only be effected upon obtaining consent of a data subject and on obtaining confirmation of appropriate safeguards.

13.   Data transfer records

IACL shall keep and maintain full and accurate records reflecting all phases of data management cycle, including records of data subjects’ consents and procedures for obtaining consent, where consent is the legal basis of processing.

The data transfer records shall include, at a minimum:

1. the name and contact details of the individual entity authorizing the transfer;
2. clear descriptions of the personal data types;
3. data subject types;
4. processing activities;
5. processing purposes;
6. third-party recipients of the personal data;
7. personal data storage locations;
8. personal data transfers;
9. the personal data’s retention period; and
10. a description of the security measures in

14.   Data transfer agreements

IACL will require all third parties to comply with this Policy through an agreement or an MOU as part of the signing of partnership agreements. Such agreements will specify the specific purpose(s) and legitimate basis for the processing or transfer of personal data.

1. Data transfer agreements shall;
2. address the purpose(s) for data transfer, specific data elements to be transferred as well as data protection and data security measures to be put in place;
3. require the third party to undertake that its data protection and data security measures are in compliance with this Policy; and
4. stimulate consultation, supervision, accountability and review mechanisms for the oversight of the transfer for the life of the

15.   Data breach

IACL will maintain a register of all data breaches.

IACL’s staff will notify their line managers as soon as possible upon becoming aware of a

personal data breach.

The notification will describe:

1. The nature of the personal data breach, including the categories and number of data subjects and data records concerned;
2. The known and foreseeable adverse consequences of personal data breach; and
3. The measures taken or proposed to be taken to mitigate and address the possible adverse impacts of the personal data

16.   External use and legal provisions

1. Title to all data belonging to IACL resulting from data processing shall reside in IACL and shall be protected by data protection laws of the
2. Third parties may not process data belonging to IACL without consultation with the
3. Any data processed jointly shall be jointly owned by IACL and third party with whom the joint processing was
4. Nothing in this policy will prevent legal action from being undertaken against a person who violates the provisions of this policy or of any Kenyan laws and regulations.
5. All matters arising out of or relating to this policy shall be governed by and are to be construed in accordance with the Laws of Kenya, excluding any conflict of law provisions, with Kenyan courts having exclusive jurisdiction in all disputes arising therein.